Solved: Re: Allow Traffice Between VPN Users

Ash160 · ‎03-31-2020

Hi Experts,

In order to be able to establish sofphone calls from one VPN user working from Home to another VPN user working from HOme too, I need to enable the traffic between VPN users. I have ASA 5515.

My understanding is that I need to add a NAT

nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool

is this enough?

Rob Ingram · ‎03-31-2020

I assume it's the 3rd NAT rule?...which appears to have been hit.

Do they have a local firewall turned on?...which is blocking traffic??

Do you have split tunnel configured?....if yes you will need to tunnel the VPN Pool network.

View solution in original post

Rob Ingram · ‎03-31-2020

Hi,
You will also need this command "same-security-traffic permit intra-interface" configured, to allow traffic to be routed back out the same interface it came in on.

HTH

Ash160 · ‎03-31-2020

Do I need another Nat?

nat (inside,outside) source static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (outside,outside) source static static VPN-Pool VPN-Pool destination static VPN-Pool VPN-Pool
nat (any,outside) after-auto source dynamic PAT-SOURCE interface

Ash160 · ‎03-31-2020

Can you explain more!

Rob Ingram · ‎03-31-2020

Your existing nat rule looks correct, assuming the object in use defines the correct network.

When an AnyConnect user connects to the VPN their traffic is sourced from the outside interface, so if you want those users to communicate with each other you need a NAT exemption rule "nat (outside,outside).....).

The command I provided earlier "same-security-traffic permit intra-interface" allows traffic be routed back out the same interface traffic originated on. This is disabled as default on the ASA.

Ash160 · ‎03-31-2020

I am still not able to get VPN clients remote each others or even ping each others.

I added the access-list

the Nat outside, outside

and the

same-security-traffic permit intra-interface

Rob Ingram · ‎03-31-2020

Do they have a local firewall turned on?...which is blocking traffic
Provide the output of "show nat detail"

Ash160 · ‎03-31-2020

Manual NAT Policies (Section 1)

(inside) to (Internet100) source static VPNAccess-ITGroup VPNAccess-ITGroup destination static NETWORK_OBJ_10.1.1.0_24 NETWORK_OBJ_10.1.1.0_24 no-proxy-arp route-lookup
translate_hits = 191998, untranslate_hits = 192516
Source - Origin: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24, Translated: 172.16.12.0/30, 172.16.13.0/24, 172.16.14.0/24, 172.16.16.0/24
192.168.0.0/24, 192.168.9.0/24, 192.168.99.248/29, 192.168.1.0/24
192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24, 192.168.6.0/24
172.16.11.0/29, 172.16.11.0/29, 192.168.0.6/32, 192.168.22.0/23
10.124.125.0/24, 10.124.126.0/24, 10.124.127.0/24, 10.124.127.13/32
192.168.111.0/24, 192.168.6.0/24, 192.168.6.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

(inside) to (Internet100) source static any XXXXXXXXXXXXXXX.105.77 destination static OneMail-External-Group OneMail-External-Group
translate_hits = 44632, untranslate_hits = 59757
Source - Origin: 0.0.0.0/0, Translated: XXXXXXXXXXXXXXX.105.77/32
Destination - Origin: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32, Translated: 142.46.226.16/30, 142.46.226.20/31, 142.46.226.22/32, 76.75.164.89/32
76.75.164.90/31, 76.75.149.36/31, 76.75.149.38/32, 76.75.177.168/31
76.75.177.170/32, 76.75.133.89/32, 76.75.133.90/31, 76.75.177.138/32
76.75.164.96/32, 76.75.133.96/32, 76.75.149.54/32
(any) to (DMZ) source static obj-VPNPool obj-VPNPool
translate_hits = 48243, untranslate_hits = 1113
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

(Internet100) to (Internet100) source static obj-VPNPool obj-VPNPool destination static obj-VPNPool obj-VPNPool
translate_hits = 20, untranslate_hits = 0
Source - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24
Destination - Origin: 10.1.1.0/24, Translated: 10.1.1.0/24

Rob Ingram · ‎03-31-2020

I assume it's the 3rd NAT rule?...which appears to have been hit.

Do they have a local firewall turned on?...which is blocking traffic??

Do you have split tunnel configured?....if yes you will need to tunnel the VPN Pool network.

Ash160 · ‎03-31-2020

Yes I did tunnel

access-list Internet100_access_in extended permit icmp object obj-VPNPool object obj-VPNPool

I think it is the local firewall